cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: is CVE-2014-0139 fixed in libcurl-7.19.7-40.el6_6.4.x86_64

From: Paul Howarth <paul_at_city-fan.org>
Date: Wed, 18 Feb 2015 16:47:16 +0000

On 18/02/15 16:07, Patrick Rael wrote:
> Hi,
> I need to confirm if the CVE-2014-0139 fix is in libcurl.
> Normally we do this
> by checking the rpm changelog for CVEs, it did find CVE-2014-0138, but I
> can't get
> confirmation for 0139. I see lots of comments about fixes that were
> checked into
> github and showing actual lines added, but nothing in the changelog so I
> can't confirm it.
>
> # cat /etc/centos-release
> CentOS release 6.6 (Final)
>
> # rpm -qa | grep curl
> libcurl-7.19.7-40.el6_6.4.x86_64
> python-pycurl-7.19.0-8.el6.x86_64
> curl-7.19.7-40.el6_6.4.x86_64
>
> # rpm -q libcurl --changelog | egrep "CVE-2014-0138|CVE-2014-0139"
> - fix connection re-use when using different log-in credentials
> (CVE-2014-0138)
>
> # rpm -q curl --changelog | egrep "CVE-2014-0138|CVE-2014-0139"
> - fix connection re-use when using different log-in credentials
> (CVE-2014-0138)
>
>
> Note: CentOS rpm versions don't match the redhat rpm versions, that's
> why we use
> the changelog to check for the fix.

This is news to me. In what way are they different?

> Thanks for any help!

CVE-2014-0139 does not affect EL-6 because it uses the NSS backend:

https://bugzilla.redhat.com/show_bug.cgi?id=1079149#c8

Paul.
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-02-18